Description
The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-03-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Update
AI Analysis

Impact

The vulnerability allows authenticated users with contributor or higher access to inject arbitrary JavaScript through the leafext-cookie-time and leafext-delete-cookie shortcodes by supplying unsafe values for the unset, before, and after attributes. The injected code is stored and executed whenever a page containing the affected shortcode is viewed, providing attackers the ability to steal cookies, hijack sessions, or perform other client‑side malicious actions.

Affected Systems

WordPress sites running the DSGVO snippet for Leaflet Map and its Extensions plugin version 3.1 or earlier are affected. Users with contributor role or greater can exploit the flaw by creating or editing content that includes the vulnerable shortcodes.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating moderate severity. EPSS data is unavailable and the vulnerability is not listed in KEV, suggesting no confirmed public exploits. However, the attack requires authenticated access with contributor privileges and the ability to add or edit pages. Once injected, the malicious script runs in the browsers of all users who view the affected page, potentially compromising confidentiality and session integrity.

Generated by OpenCVE AI on March 26, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DSGVO snippet for Leaflet Map and its Extensions plugin to version 3.4 or later
  • Restrict contributor or lower roles from adding or editing content that may include the vulnerable shortcodes
  • If an upgrade is not immediately possible, consider removing or disabling the leafext-cookie-time and leafext-delete-cookie shortcodes from sites
  • Monitor site activity for signs of XSS or unauthorized script execution
  • Validate and sanitize any user‑supplied content before rendering it to prevent similar issues

Generated by OpenCVE AI on March 26, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hupe13
Hupe13 dsgvo Snippet For Leaflet Map And Its Extensions
Wordpress
Wordpress wordpress
Vendors & Products Hupe13
Hupe13 dsgvo Snippet For Leaflet Map And Its Extensions
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title DSGVO snippet for Leaflet Map and its Extensions <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'unset' Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Hupe13 Dsgvo Snippet For Leaflet Map And Its Extensions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:35.417Z

Reserved: 2026-03-18T15:02:10.514Z

Link: CVE-2026-4389

cve-icon Vulnrichment

Updated: 2026-03-26T17:48:10.731Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T05:16:40.667

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-4389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:32Z

Weaknesses